Safety And Non-Safety Parts Of The Application; Safety Code Analysis Tool - ABB AC500-S Safety User Manual

● Only one access to output
As for states, outputs should only be described at one point in the program.
● No access to global variables from functions and function blocks
A function should have no side effects, a function block should only change the state of its
own instance. Functions and function blocks should therefore not access global variables.

4.4.5 Safety and non-safety parts of the application

For very complex applications, it is advisable to transfer all safety application parts to a separate
control system. If this is not possible, the application parts should be separated through the fol-
lowing measures:
● Blocks (programs, function blocks and functions) are either safety blocks or not. All safety
blocks should be identified through a prefix (e.g., "S_").
● Calls of non-safety blocks in safety blocks are not permitted. This must be checked with the
"Show project call tree" function.
● Calls of safety blocks in non-safety blocks are limited to standard functions. This must be
checked with the "Show project call tree" function.
● Global variables are either safety or not. All safety variables should be identified through a
prefix (e.g., "S_"). All safety variables are defined in separate variable lists that are also
identified through a prefix.
● Write access to safety variables from non-safety blocks is not permitted. This must be
checked with the "Show project cross-reference list" function.
● Write access to non-safety variables from safety blocks is not permitted. This must be
checked with the "Show project cross-reference list" function.
● The I/O addresses for safety application parts and non-safety application parts are sepa-
rated into different ranges, while the safety parts coming first (lower addresses) in the
memory.
● The following measures should also be adhered to in the non-safety part:
–
–
–

4.5 Safety code analysis tool

Instead of manually checking CODESYS Safety programming guidelines, one can use ABB
software tool "AC500-S Safety Code Analysis" (SCA) to automatically check most of the safety
rules defined by CODESYS.
The detailed description on how to use ABB SCA tool can be found at www.abb.com/plc and in
its help system. AC500-S SCA tool can be downloaded for free from www.abb.com/plc.
There are rules which still have to be checked manually
gramming rules to be checked manually" on page 181. AC500-S SCA tool is not able to detect
them in the safety application program.
Table 13: CODESYS Safety programming rules to be checked manually
Rule for manual check in CODESYS Safety
Verify that the watchdog is activated. Verify that the watchdog time is
set sufficiently shorter than the process failure response time.
Verify that there is only one task.
Verify that, other than standard libraries, only libraries certified for
safety applications are used.
For each POU, verify that there are no unnecessary state variables.
2020/06/19
Limited application of pointers
Range check of indices before write access to fields (ARRAY)
No multiple address allocation
3ADR025091M0208, 12, en_US
Configuration and programming
Safety code analysis tool
Ä Table 13 "CODESYS Safety pro-
Comments (relevance for AC500-S)
Use a special library POU
SF_WDOG_TIME_SET
"SF_WDOG_TIME_SET" on page 302
AC500-S supports only one task, thus,
there is no need for this check.
These rules are included in
"Checklist for creation of safety application
program" on page 326
Ä Chapter 4.6.7.3
Ä Chapter 6.2
181